A Classification and Comparison Framework for Software Architecture Description Languages

Transcription

1 A Classification and Comparison Framework for Software Architecture Description Languages Neno Medvidovic Technical Report UCI-ICS Department of Information and Computer Science University of California, Irvine Irvine, California February 1996 Abstract Software architectures shift the focus of developers from lines-of-code to coarsergrained architectural elements and their overall interconnection structure. Architecture description languages (ADLs) have been proposed as modeling notations to support architecture-based development. There is, however, little consensus in the research community on what is an ADL, what aspects of an architecture should be modeled in an ADL, and which of several possible ADLs is best suited for a particular problem. Furthermore, the distinction is rarely made between ADLs on one hand and formal specification, module interconnection, simulation, and programming languages on the other. This paper attempts to provide an answer to these questions. It motivates and presents a definition and a classification framework for ADLs. The utility of the definition is demonstrated by using it to differentiate ADLs from other modeling notations. The framework is also used to classify and compare several existing ADLs. One conclusion is that, although much research has been done in this area, no single ADL fulfills all of the identified needs.

2 I. Introduction Software architecture research is directed at reducing costs of developing applications and increasing the potential for commonality between different members of a closely related product family [GS93, PW92]. Software development based on common architectural idioms has its focus shifted from lines-of-code to coarser-grained architectural elements (software components and connectors) and their overall interconnection structure. To support architecture-based development, formal modeling notations and analysis and development tools that operate on architectural specifications are needed. Architecture description languages (ADLs) and their accompanying toolsets have been proposed as the answer. Loosely defined, an ADL for software applications focuses on the high-level structure of the overall application rather than the implementation details of any specific source module [Ves93]. ADLs have recently become an area of intense research in the software architecture community [GPT95, Gar95a, Wolf96]. A number of ADLs have been proposed for modeling architectures both within a particular domain and as general-purpose architecture modeling languages. In this paper, we specifically consider those languages most commonly referred to as ADLs: Aesop [GAO94, Gar95b, GKMM96], ArTek [TLPD95], C2 [MTW96, MORT96, Med96], Darwin [MDK93, MDEK95, MK95, MK96], LILEANNA [Tra93a, Tra93b], MetaH [BEJV94, Ves96], Rapide [LKA+95, LV95, Rap96], SADL [MQR95], UniCon [SDK+95, SDZ96], and Wright [AG94a, AG94b]. 1 Recently, initial work has been done on an architecture interchange language, ACME [GMW95, GMW96], which is intended to support mapping of architectural specifications from one ADL to another, and hence enable integration of support tools across ADLs. Although, strictly speaking, ACME is not an ADL, it contains a number of ADL-like features. Furthermore, it is useful to compare and differentiate it from other ADLs to highlight the difference between an ADL and an interchange language. It is, therefore, included in this paper. There is, however, still little consensus in the research community on what an ADL is, what aspects of an architecture should be modeled by an ADL, and what should be interchanged in an interchange language [MTW96]. For example, Rapide may be characterized as a general-purpose system description language that allows modeling of component interfaces and their externally visible behavior, while Wright formalizes the semantics of architectural connections. Furthermore, the distinction is rarely made between ADLs on one hand and formal specification, module interconnection (MIL), simulation, and programming languages on the other. Indeed, for 1. The full name of the ADL for C2-style architectures is C2 SADL. In order to distinguish it from SADL, which resulted from an unrelated project at SRI, it will be referred to simply as C2 in the remainder of the paper. 2

3 example, Rapide can be viewed as both an ADL and a simulation language, while Clements contends that CODE [NB92], a parallel programming language, is also an ADL [Cle96a]. Another source of discord is the level of support an ADL should provide to developers. At one end of the spectrum, it can be argued that the primary role of architectural descriptions is to aid understanding and communication about a software system. As such, an ADL must have simple, understandable, and possibly graphical syntax, well understood, but not necessarily formally defined, semantics, and the kinds of tools that aid visualization, understanding, and simple analyses of architectural descriptions (e.g., Argo [RR96, RHR96]). At the other end of the spectrum, the tendency has been to provide formal syntax and semantics of ADLs, powerful analysis tools, model checkers, parsers, compilers, code synthesis tools, runtime support tools, and so on (e.g., SADL s architecture refinement patterns [MQR95], Darwin s use of π-calculus to formalize architectural semantics [MK96], or UniCon s parser and compiler [SDK+95]). While both perspectives have merit, ADL researchers have generally adopted one or the other extreme view. It is our contention that both are important and should be reflected in an ADL to a certain degree. Several researchers have attempted to shed light on these issues, either by surveying what they consider existing ADLs [KC94, KC95, Cle96a, Ves93] or by listing essential requirements for an ADL [LV95, SDK+95, SG94, SG95]. Each of these attempts furthers our understanding of what an ADL is; however, for various reasons, each ultimately falls short in providing a definitive answer to the question. This paper builds upon the results of these efforts. It is further influenced by insights obtained from studying individual ADLs, relevant elements of languages commonly not considered ADLs (e.g., programming languages), and experiences and needs of an ongoing research project, C2. The paper presents a definition and a relatively concise classification framework for ADLs: an ADL must explicitly model components, connectors, and their configurations; furthermore, to be truly usable and useful, it must provide tool support for architecture-based development and evolution. These four elements of an ADL are further broken down into their constituent parts. The remainder of the paper is organized as follows. Section II discusses contributions and shortcomings of other attempts at surveying and classifying ADLs. Section III motivates our definition and taxonomy of ADLs. Section IV demonstrates the utility of the definition by determining whether several existing notations are ADLs. Sections V-VIII describe the elements of components, connectors, configurations, and tool support, respectively, and assess the above ADLs based on these criteria. Discussion and conclusions round out the paper. 3

4 II. Related Approaches Any effort such as this one must be based on discoveries and conclusions of other researchers in the field. For that reason, we closely examined ADL surveys conducted by Kogut and Clements [KC94, KC95, Cle96a] and Vestal [Ves93]. We also studied several researchers attempts at identifying essential ADL characteristics and requirements: Luckham and Vera [LV95], Shaw and colleagues [SDK+95], Shaw and Garlan [SG94, SG95], and Tracz [Wolf97]. As a basis for architectural interchange, ACME [GMW95, GMW96] gave us key insights into what needs to remain constant across ADLs. Finally, we built upon our conclusions from an earlier attempt to shed light on the nature and needs of architecture modeling [MTW96]. II.A. Previous Surveys Kogut and Clements [KC94, KC95, Cle96a] provide an extensive classification of existing ADLs. The classification is based on an exhaustive questionnaire of ADL characteristics and features, completed by each language s design team. The survey was conducted in a top-down fashion: the authors used domain analysis techniques to decide what features an ADL should have, and then assessed existing languages with respect to those features. While their taxonomy is valuable in bettering our understanding of surveyed ADLs, it comes up short in several respects. Domain analysis is typically used in well-understood domains, which is not the case with ADLs. Beyond this, the survey does not provide any deeper insight into what an ADL is, nor does it present its criteria for inclusion of a particular modeling notation in the list. Quite the contrary, the list of surveyed languages contains several that are commonly not considered ADLs, yet little justification is given for their inclusion. Perhaps most illustrative is the example of Modechart, a specification language for hard-real-time computer systems [JM94]. Clements labels Modechart a language on the edge of ADLs, whose utility to the architecture community lies in its sophisticated analysis and model checking toolset [Cle95]. Tool support alone is not a sufficient reason to consider it an ADL, however. Other similar examples are CODE [NB92], a graphical parallel programming language; Demeter [HSX91], an approach to object-oriented design and programming; Resolve [HLOW94], a mathematically-based approach to reusable component-based software development, which is related more closely to formal specification languages, such as Larch [GH93] and Z [Spi89], than to other ADLs; and PSDL [KLB93], a rapid prototyping language for real-time systems. Several of the criteria Kogut and Clements used for ADL evaluation, such as the ability to model requirements and algorithms, are outside an ADL s scope. Furthermore, this kind of survey 4

5 runs the risk of not asking all of the relevant questions. Finally, the authors often have to extrapolate very specific information from multiple, potentially subjective, vague, or misunderstood questions. Vestal s approach [Ves93] is more bottom-up. He surveyed four existing ADLs (LILEANNA, MetaH, Rapide, and QAD [HP93]) and attempted to identify their common properties. He concluded that they all model or support the following concepts, though not to the same degree: components, connections, hierarchical composition, where one component contains an entire subarchitecture, computation paradigms, i.e., semantics, constraints, and non-functional properties, communication paradigms, underlying formal models, tool support for modeling, analysis, evaluation, and verification, and automatic application code composition. Although cursory and limited in its scope, Vestal s survey contains useful insights that bring us closer to answering the question of what an ADL is. In its approach, our survey is much closer to Vestal s than to Clements and Kogut s. II.B. Insights from Individual Systems In [LV95], Luckham and Vera list requirements for an ADL, based on their work on Rapide: component abstraction, communication abstraction, communication integrity, which mandates that only components that are connected in an architecture may communicate in the resulting implementation, ability to model dynamic architectures, hierarchical composition, and relativity, or the ability to relate (map) behaviors between architectures. As a result of their experience with UniCon, Shaw and colleagues list the following properties an ADL should exhibit [SDK+95]: ability to model components, with property assertions, interfaces, and implementations, ability to model connectors, with protocols, property assertions and implementations, abstraction and encapsulation, types and type checking, and ability to accommodate analysis tools. 5

6 Clearly, the above features alone cannot be considered definitive indicators of how to identify an ADL. They have resulted from limited experience of two research groups with their own languages. However, they represent valuable data points in trying to understand and classify ADLs. II.C. Attempts at Identifying Underlying Concepts In [Wolf97], Tracz defines an ADL as consisting of four C s: components, connectors, configurations, and constraints. This taxonomy is appealing, especially in its simplicity, but needs further elaboration: justification for and definitions of the four C s, aspects of each that need to be modeled, necessary tool support, and so on. Shaw and Garlan have attempted to identify unifying themes and motivate research in ADLs. Both authors have successfully argued the need to treat connectors explicitly, as first-class entities in an ADL [Sha93, AG94a, AG94b, SG94]. In [SG94], they also elaborate six classes of properties that an ADL should provide: composition, abstraction, reusability, configuration, heterogeneity, and analysis. They demonstrate that other existing notations, such as informal diagrams, modularization facilities provided by programming languages, and MILs, do not satisfy the above properties and hence cannot fulfill architecture modeling needs. In [SG95], Shaw and Garlan identify seven levels of architecture specification capability: capturing architectural information, construction of an instance, composition of multiple instances, selection among design or implementation alternatives, verifying adherence of an implementation to specification, analysis, and automation. They conclude that, while ADLs invariably provide notations for capturing system descriptions (level 1), few support other levels. It is unclear, however, what set of criteria they applied to the different ADLs and how stringent those criteria were, particularly since this paper will show that a number of ADLs do provide a considerable amount of support for most of the above capabilities. Finally, in [MTW96], Medvidovic and colleagues argue that, in order to adequately support architecture-based development and analysis, one must model them at four levels of abstraction: internal component semantics, component interfaces, component interconnections in an architecture, and architectural style rules. This taxonomy presents an accurate high-level view of 6

7 architecture modeling needs, but is too general to serve as an adequate ADL comparison framework. Furthermore, it lacks any focus on connectors. II.D. Architecture Interchange Perhaps the closest the research community has come to a consensus on ADLs has been its endorsement of ACME as an architecture interchange language [GMW95, GMW96]. In order to meaningfully interchange architectural specifications across ADLs, a common basis for all ADLs must be established. Garlan and colleagues believe that common basis to be their core ontology for architectural representation: components, connectors, systems, or configurations of components and connectors, ports, or points of interaction with a component, roles, or points of interaction with a connector, representations, used to model hierarchical compositions, and rep-maps, which map a composite component or connector s internal architecture to elements of its external interface. In ACME, any other aspect of architectural description is represented with property lists (i.e., it is not core). ACME has resulted from a careful consideration of issues in and notations for modeling architectures. As such, it can be viewed as the starting point for studying existing ADLs and developing new ones. However, ACME represents the least common denominator of existing ADLs rather than a definition of an ADL. It also does not provide any means for understanding or classifying those features of an architectural description that are placed in property lists. Finally, certain structural constraints imposed by ACME, such as its requirement that a connector may not be directly attached to another connector, satisfy the needs of some approaches (e.g., Aesop, UniCon, Wright), but not of others (e.g., C2). III. ADL Classification and Comparison Framework Individually, of the above attempts adequately answer the question of what an ADL is. Instead, they reflect their authors views on what an ADL should have or should be able to do. However, a closer study of their various collections of features and requirements shows that there is a common theme among them, which is used as a guide in formulating this framework for ADL classification and comparison. To complete the framework, the characteristics of individual ADLs 7

8 and summaries of discussions on ADLs that occurred at the two International Software Architecture Workshops [Gar95a, Wolf96] were studied. To a large degree, this taxonomy reflects features supported by all, or most, existing ADLs. In certain cases, also included are those characteristics typically not supported by ADLs, but which have been identified as important for architecture-based development. To properly enable further discussion, several definitions are needed. There is no standard, universally-accepted definition of architecture, but we will use as our working definition the one provided by Garlan and Shaw [GS93]: [Software architecture is a level of design that] goes beyond the algorithms and data structures of the computation: designing and specifying the overall system structure emerges as a new kind of problem. Structural issues include gross organization and global control structure; protocols for communication, synchronization, and data access; assignment of functionality to design elements; physical distribution; composition of design elements; scaling and performance; and selection among design alternatives. An ADL is a language that provides features for modeling a software system s conceptual architecture. ADLs provide both a concrete syntax and a conceptual framework for characterizing architectures [GMW96]. The conceptual framework reflects characteristics of the domain for which the ADL is intended and/or the architectural style. The framework typically subsumes the ADL s underlying semantic theory (e.g, CSP, Petri nets, finite state machines). The building blocks of an architectural description are (1) components, (2) connectors, and (3) architectural configurations. 2 An ADL must provide the means for their explicit specification; this enables us to determine whether or not a particular notation is an ADL. In order to infer any kind of information about an architecture, at a minimum, interfaces of constituent components must also be modeled. Without this information, an architectural description becomes but a collection of (interconnected) identifiers. Several aspects of both components and connectors are desirable, but not essential: their benefits have been acknowledged and possibly demonstrated by some ADL, but their absence does not mean that a given language is not an ADL. These features are interfaces (for connectors), and types, semantics, constraints, evolution, and non-functional properties (for both). Desirable features of configurations are understandability, heterogeneity, compositionality, constraints, refinement and traceability, scalability, evolution, dynamism and non-functional properties. 2. Architectural configurations will, at various times in this paper, be referred to simply as configurations or topologies. 8

9 Finally, even though the suitability of a given language for modeling software architectures is independent of whether and what kinds of tool support it provides, an accompanying toolset will render an ADL both more usable and useful. The kinds of tools that are desirable in an ADL are those for active specification, multiple views, analysis, refinement, code generation, and dynamism. This taxonomy is depicted in Fig. 1. The taxonomy is intended to be extensible and modifiable, which is crucial in a field that is still largely in its infancy. The features of a number of surveyed languages are still changing (e.g., SADL, ACME, C2, ArTek). Moreover, work is being continuously done on extending tool support for all ADLs. Sections V-VIII elaborate further on components, connectors, configurations, and tool support in ADLs. They motivate the taxonomy and compare existing ADLs based on their level of support of the different categories. ADL Architecture Modeling Features Components Interface Types Semantics Constraints Evolution Non-functional properties Connectors Interface Types Semantics Constraints Evolution Non-functional properties Architectural Configurations Understandability Compositionality Heterogeneity Constraints Refinement and traceability Scalability Evolution Dynamism Non-functional properties Tool Support Active Specification Multiple Views Analysis Refinement Code Generation Dynamism Fig. 1. ADL classification and comparison framework. Essential modeling features are bolded. 9

10 IV. Differentiating ADLs from Other Languages In order to clarify what is an ADL, it may be useful to point out several notations that, though similar, are not ADLs according to our definition: high-level design notations, MILs, programming languages, object-oriented (OO) modeling notations, and formal specification languages. The requirement to model configurations explicitly distinguishes ADLs from some highlevel design languages. Existing languages that are commonly referred to as ADLs can be grouped into three categories based on how they model configurations: implicit configuration languages model configurations implicitly through interconnection information that is distributed across definitions of individual components and connectors; in-line configuration languages model configurations explicitly, but specify component interconnections, along with any interaction protocols, in-line; explicit configuration languages model both components and connectors separately from configurations. The first category, implicit configuration languages, are, by the definition given in this paper, not ADLs, although they may serve as useful tools in modeling certain aspects of architectures. Two examples of such languages are LILEANNA and ArTek. In LILEANNA, interconnection information is distributed among the with clauses of individual packages, package bindings (view construct), and compositions (make). In ArTek, there is no configuration specification; instead, each connector specifies component ports to which it is attached. The focus on conceptual architecture and explicit treatment of connectors as first-class entities differentiate ADLs from MILs [DK76, PN86], programming languages, and OO notations and languages (e.g., Unified Method [BR95]). MILs typically describe the uses relationships among modules in an implemented system and support only one type of connection [AG94a, AG94b, SG94]. Programming languages describe a system s implementation, whose architecture is typically implicit in subprogram definitions and calls. Explicit treatment of connectors also distinguishes ADLs from OO languages, as demonstrated in [LVM95]. It is important to note, however, that there is less than a firm boundary between ADLs and MILs. Certain ADLs, e.g., Wright and Rapide, model components and connectors at a high level of abstraction and do not assume or prescribe a particular relationship between an architectural description and an implementation. We refer to these languages as implementation independent. On the other hand, several ADLs, e.g., UniCon and MetaH, require a much higher degree of fidelity of an architecture to its implementation. Components modeled in these languages are directly related to their implementations, so that a module interconnection specification may be 10

11 indistinguishable from an architectural description in such a language. These are implementation constraining languages. Darwin has elements of both implementation constraining and independent languages: it ties each primitive component to its implementation, but also enables modeling of high-level, composite components. Given this composition feature and the fact that a valid Darwin architecture need not contain primitive components, we are inclined to consider Darwin an implementation independent language. An ADL typically subsumes a formal semantic theory. That theory is part of an ADL s underlying framework for characterizing architectures; it influences the ADL s suitability for modeling particular kinds of systems (e.g., highly concurrent systems) or particular aspects of a given system (e.g., its static properties). Examples of formal specification theories are Petri nets [Pet62], Statecharts [Har87], partially-ordered event sets [LVB+93], communicating sequential processes (CSP) [Hoa85], model-based formalisms (e.g., chemical abstract machine [IW95], Z [Spi89]), algebraic formalisms (e.g., Obj [GW88]), and axiomatic formalisms (e.g., Anna [Luc87]). Of the above-mentioned formal notations, Z has been demonstrated appropriate for modeling only certain aspects of architectures, such as architectural style rules [AAG93, MTW96]. Partially-ordered event sets, CSP, Obj, and Anna have already been successfully used by existing modeling languages (Rapide, Wright, and LILEANNA, respectively). Modeling capabilities of the remaining three, Petri nets, Statecharts, and chemical abstract machines, are somewhat similar to those of ADLs. Although they do not express systems in terms of components, connectors, and configurations per se, their features may be cast in that mold and they may be considered ADLs in their existing forms. In the remainder of this section we will discuss why it would be inappropriate to do so. IV.A. Petri Nets Petri net places can be viewed as components maintaining state, transitions as components performing operations, arrows between places and transitions as simple connectors, and their overall interconnection structure as a configuration. Petri nets mandate that processing components may only be connected to state components and vice-versa. This may be an unreasonable restriction. Overcoming it may require some creative and potentially counterintuitive architecting. A bigger problem is that Petri nets do not model component interfaces, i.e., they do not distinguish between different types of tokens. If we think of tokens as messages exchanged among components, this is a crucial shortcoming. Colored Petri 11

12 nets [Jen92, Jen94] attempt to remedy this problem by allowing different types of tokens. However, even they explicitly model only the interfaces of state components (places), but not of processing components (transitions). Therefore, Petri nets violate the definition of ADLs. IV.B. Statecharts Statecharts is a modeling formalism based on finite state machines (FSM) that provides a state encapsulation construct, support for concurrency, and broadcast communication. To compare Statecharts to an ADL, the states would be viewed as components, transitions among them as simple connectors, and their interconnections as configurations. However, Statecharts does not model architectural configurations explicitly: interconnections and interactions among a set of concurrently executing components are implicit in intra-component transition labels. In other words, as was the case with LILEANNA and ArTek, the topology of an architecture described as a StateChart can only be ascertained by studying its constituent components. Therefore, Statecharts is not an ADL. There is, however, an even deeper issue in attempting to model architectures as FSMs. Namely, even though it may be useful to represent component or connector semantics with Statecharts, it is doubtful that an adequate architectural breakdown of a system can be achieved from a state-machine perspective. Harel [Har87] agrees with this, arguing that one has to assume some physical and functional description of the system, providing, say, a hierarchical decomposition into subsystems and the functions and activities they support. This description should also identify the external input and output ports and their associated signals. Statecharts can then be used to control these internal activities. Although we are aware of the fact that achieving such a functional decomposition is by no means a trivial matter, we assume that this kind of description is given or can be produced using an existing method. IV.C. Chemical Abstract Machine In the chemical abstract machine (CHAM) approach, an architecture is modeled as an abstract machine fashioned after chemicals and chemical reactions. A CHAM is specified by defining molecules, their solutions, and transformation rules that specify how solutions evolve. An architecture is then specified with processing, data, and connecting elements. The interfaces of processing and connecting elements are implied by (1) their topology and (2) the data elements their current configuration allows them to exchange. The topology is, in turn, implicit in a solution and the transformation rules. Therefore, even though CHAM can be used effectively to prove 12

13 certain properties of architectures, without additional syntactic constructs it does not fulfill the requirements to be an ADL. V. Components A component is a unit of computation or a data store. Therefore, components are loci of computation and state [SDK+95]. A component in an architecture may be as small as a single procedure (e.g., MetaH procedures) or as large as an entire application (e.g., hierarchical components in C2 and Rapide or macros in MetaH). It may require its own data and/or execution space, or it may share them with other components. Each surveyed ADL models components in one form or another and under various names. ACME, Aesop, C2, Darwin, SADL, UniCon, and Wright share much of their vocabulary and refer to them simply as components; in Rapide they are interfaces; 3 and in MetaH processes. In this section, we present the aspects of components that need to be modeled in an ADL and assess existing ADLs with respect to them. V.A. Interface A component s interface is a set of interaction points between it and the external world. As in OO classes or Ada package specifications, a component interface in an ADL specifies those services (messages, operations, and variables) the component provides. In order to be able to adequately reason about a component and the architecture that includes it, ADLs should also provide facilities for specifying component needs, i.e., services required of other components in the architecture. An interface thus defines computational commitments a component can make and constraints on its usage. Interfaces also enable a certain, though rather limited, degree of reasoning about component semantics. All surveyed ADLs support specification of component interfaces. They differ in the terminology and the kinds of information they specify. For example, each interface point in ACME, Aesop, SADL, and Wright is a port. On the other hand, in C2, the entire interface is provided through a single port; individual interface elements are messages. In Darwin, an interface point is a service, in Rapide a constituent, and in UniCon a player. MetaH distinguishes between ports, events, and shared data. 3. Interface is a language construct; the authors commonly refer to components as components. 13

14 The ports in ACME, Aesop, SADL, and Wright are named and typed. Aesop and SADL distinguish between input and output ports (inputs and outputs in Aesop; iport and oport in SADL). Wright goes a step further by specifying the expected behavior of the component at that point of interaction. The particular semantics of a port are specified in CSP [Hoa85] as interaction protocols. In the example given in Fig. 2 below, DataRead is a simple input (read only) port: component DataUser = port DataRead = get DataRead other ports... Fig. 2. Interaction protocol for a component port in Wright. A C2 component interface consists of single top and bottom ports. Both incoming and outgoing message traffic is routed through each port. An important distinction among C2 messages is between requests and notifications. Due to C2 s principle of substrate independence, a component has no knowledge of components below it in an architecture. For that reason, any messages sent down an architecture must be notifications of that component s internal state; requests may only be sent up. Component interface specifications in Darwin specify services provided and required by a component, as well as types of those services. Each service type is further elaborated with an interaction mechanism that implements the service. For example, trace services are implemented with events, outputs are accomplished via ports, and commands accept entry calls. MetaH specifies input and output ports on components (processes). Ports are strongly typed and connections among them type checked. They are the means for periodic communication: each port has an associated buffer variable and port-to-port communication results in assignment. Aperiodic communication is modeled by output events. Finally, sharable monitors or packages are the means of indicating shared data among components. Rapide subdivides component interfaces into constituents: provides, requires, action, and service. Provides and requires refer to functions. Connections between them specify synchronous communication. In and out actions denote the events a component can observe and generate, respectively. Connections between actions define asynchronous communication. A service is an aggregation facility for a number of actions and functions. It is a mechanism for abstracting and reusing component interface elements. 14

15 Finally, UniCon specifies interfaces as sets of players. Players are visible semantic units through which a component interacts by requesting or providing services and receiving external state and events. Each player consists of a name, a type, and optional attributes such as signature, functional specification, or constraints. UniCon supports a predefined set of player types: RoutineDef, RoutineCall, GlobalDataDef, GlobalDataUse, ReadFile, WriteFile, ReadNext, WriteNext, StreamIn, StreamOut, RPCDef, RPCCall, and RTLoad. PLBundle denotes a set of players. V.B. Types Software reuse is one of the primary goals of architecture-based development [BS92, GAO95, MOT97]. Since architectural decomposition is performed at a level of abstraction above source code, ADLs can support reuse by modeling abstract components as types. Component types can then be instantiated multiple times in an architectural specification and each instance may correspond to a different implementation of the component. Abstract component types can also be parameterized, further facilitating reuse. 4 All of the surveyed ADLs distinguish component types from instances. Rapide does so with the help of a separate types language [LKA+95]. With the exception of MetaH and UniCon, all ADLs provide extensible component type systems. MetaH and UniCon support only a predefined, built-in set of types. MetaH component types are process, macro, mode, system, and application. 5 Component types supported by UniCon are Module, Computation, SharedData, SeqFile, Filter, Process, SchedProcess, and General. Three ADLs make explicit use of parameterization: ACME, Darwin, and Rapide. ACME provides component templates, which are typed and parameterized macro facilities for specifications of recurring component patterns. Parameterized types in Rapide are type constructors; applying them to appropriate arguments results in a type. ACME and Darwin only allow parameterization of component type declarations, while Rapide also allows the behavior associated with a particular type to be parameterized by specifying event patterns, discussed below. 4. A detailed discussion of the role of parameterization in reuse is given in [Kru92]. 5. As MetaH is used to specify both the software and the hardware architecture of an application, system is a hardware construct, while application pertains to both. 15

16 V.C. Semantics In order to be able to perform useful analyses, enforcement of constraints, and consistent mappings of architectures from one level of abstraction to another, component semantics should be modeled. However, several languages do not model component semantics beyond interfaces. SADL and Wright focus on other aspects of architectural description (connectors and refinement). Wright does enable specification of interaction protocols for each component interface point, and while it does not focus on it, it also allows specification of component functionality in CSP. Underlying semantic models and their expressive power vary across those ADLs that do support specification of component behavior. ACME and UniCon allow semantic information to be specified in components property lists. ACME places no restrictions on the specification language; however, from its point of view, properties are uninterpreted, so that, strictly speaking, component semantics are outside the scope of the language. Although UniCon s main focus is on non-functional properties of components (see Section V.F), it allows specification of event traces in property lists to describe component behavior. Aesop does not provide any language mechanisms for specifying component semantics. However, for each architectural style defined in Aesop, it allows the use of style-specific languages for modeling semantics. MetaH allows specification of component implementation semantics with path declarations. A path declaration consists of an optional identifier, followed by the names of (more primitive) components in that path. MetaH also uses an accompanying language, ControlH, for modeling algorithms in the guidance, navigation, and control (GN&C) domain [BEJV94]. In Rapide, each component specification has an associated behavior, which is defined via partially ordered sets of events (posets). Rapide uses event patterns to recognize posets. During poset recognition, free variables in a pattern are bound to specific matching values in a component s poset. Event patterns are used both as triggers and outputs of component state transitions. C2 currently employs a more primitive semantic model. Component semantics are expressed in terms of causal relationships between input and output messages in its interface. At the level of a configuration, this information can be used to generate linear traces of events, similar to VHDL s [VHDL87] and Verilog s [TM91]. Rapide s posets are a related but more powerful modeling mechanism [LV95]. Finally, Darwin uses π-calculus [MPW92] as its underlying semantic model. A system in the π-calculus is a collection of independent processes which communicate via named channels. 16

17 π-calculus is used to model basic component interaction and composition properties, so that each syntactic Darwin construct concerned with requiring, providing, and binding services is modeled in it. It is important to note that using π-calculus in this manner only supports modeling the semantics of composite Darwin components (further discussed in Section VII.B), while primitive components are treated as black boxes. V.D. Constraints A constraint is a property of or assertion about a system or one of its parts, the violation of which will render the system unacceptable to one or more stakeholders [Cle96b]. In order to ensure adherence to intended component uses, enforce usage boundaries, and establish dependencies among internal elements of a component, constraints on them must be specified. Constraints may be defined in a separate constraint language, or they may be specified using the notation of the given ADL and its underlying semantic model. All surveyed languages constrain usage of components by specifying their interfaces as the only legal means of interaction. Formal specification of component semantics further specifies relationships and dependencies among internal elements of a component. Several ADLs provide additional means for specifying constraints on components: Aesop, C2, and SADL provide stylistic invariants. Unlike Aesop and SADL, which support multiple architectural styles, C2 s invariants, such as the number of communication ports and distinction between requests and notifications, are specific to a single style and are therefore fixed. MetaH constrains implementation and usage of a component by specifying its non-functional properties or attributes, such as Period, ExecutionTime, Deadline, Criticality, TimeSliceOption, and AllowedBinding. UniCon also constrains component usage with attributes, such as EntryPoint into a component and Priority. Attributes are either required or optional. For each attribute, a rule must be specified on how to handle its multiple specifications within a single component. For example, parameters used for component instantiation (InstFormals) are merged, while any new occurrence of Priority replaces the previous one. UniCon also restricts the types of players that can be provided by certain types of components. For each player, its maximum and minimum numbers of connections are specified (MaxAssocs and MinAssocs, respectively). Rapide uses an Anna-like algebraic constraint language to specify constraints on the abstract state of a component. It also enables specification of pattern constraints on event posets that are generated and observed from a component s interface. Pattern constraints specify how to use a particular component and what the component promises to do. In the example shown in 17

18 Fig. 3 below, the constraint implies that all, and only, messages taken in by the Resource component are delivered Wright specifies protocols of interaction with a component for each port in CSP. type Resource is interface public action Receive(Msg : String); extern action Results(Msg : String); constraint match ((?S in String)(Receive(?S)->Results(?S)))^(*~); end Resource; Fig. 3. A pattern constraint in Rapide. V.E. Evolution As design elements, components evolve. ADLs must support the evolution process by allowing subtyping of components and refinement of their features. Only a subset of existing ADLs provide support for evolution. Even within those ADLs, evolution support is limited and often relies on the chosen implementation (programming) language. The remainder of the ADLs view and model components as inherently static. MetaH and UniCon define component types by enumeration, allowing no subtyping, and hence no evolution support. ACME has only recently introduced types, but currently provides no subtyping features. Aesop supports behavior-preserving subtyping to create substyles of a given architectural style. Aesop mandates that a subclass must provide strict subtyping behavior for operations that succeed, but may also introduce additional sources of failure with respect to its superclass. Rapide allows its interface types to inherit from other types by using OO methods, resulting in structural subtyping. Both Rapide and SADL also provide features for refinement of components across levels of abstraction. This mechanism may be used to evolve components by explicating any deferred design decisions, which is somewhat similar to extending inherited behavior in OO languages. It is interesting to note that, in a general case, subtyping is simply a form of refinement. This is, however, not true in the case of Rapide and SADL, both of which place additional constraints on refinement maps in order to prove or demonstrate certain properties of architectures (see Section VII.E). 18

19 One ADL that stands out in its support for component evolution is C2. C2 attempts to avoid dependence on subtyping mechanisms provided by any underlying programming language. Its approach is based on the realization that architectural design is a complex activity in which architectures may incorporate components implemented in heterogeneous programming languages; therefore, an ADL cannot rely on a single subtyping method provided by any one language. C2 models conceptual component placeholders as formal parameters, while the implemented components that instantiate them are actual parameters. Multiple subtyping and type-checking relationships among components are allowed: name, interface, behavior, and implementation subtyping, as well as their combinations [MORT96]. V.F. Non-Functional Properties Specification of non-functional properties of components is needed to enable simulation of their runtime behavior, perform useful analyses on components, enforce constraints, map component implementations to processors, and aid in project management (e.g., by specifying stringent performance requirements, development of a component may need to be assigned to the best engineer). Despite the need for and potential benefits of specifying non-functional properties, there is a striking lack of support for them in existing ADLs. ACME allows specification of a superset of all ADLs non-functional properties in its property lists. However, as discussed above, it neither interprets nor does it make any use of them. Aesop allows association of arbitrary text with component specifications. Such arbitrary text may include non functional properties, although such a possibility has not been explicitly considered by Aesop s developers. The two ADLs that stand out in their ability to express non-functional properties of components are MetaH and UniCon. Both of these languages need such information to analyze architecture for real-time schedulability (both ADLs) and reliability and security (MetaH). Both also use source code location attributes for code generation. Several representative non-functional properties in MetaH are SourceName, SourceFile, ClockPeriod, Deadline, and Criticality. UniCon allows specification of Priority, Library, ImplType (source, object, executable, data, or whatever), and Processor. V.G. Summary of ADL Components Overall, surveyed ADLs provide comprehensive support for modeling components. All of them regard components as first-class entities. Furthermore, all model interfaces and distinguish 19

20 between component types and instances. On the other hand, a majority of the ADLs do not support evolution or non-functional properties. It is illustrative that Aesop is the only ADL that provides at least some support for each of the six classification categories and that, of the four ADLs that support five of the categories, C2 and Rapide do not model non-functional properties, and MetaH and UniCon do not support evolution. Every ADL supports or allows at least four of the six categories. A more complete summary of this section is given in Table 1 below. Table 1: ADL Support for Modeling Components Features ADL Characteristics Interface Types Semantics Constraints Evolution Component; interface points via interfaces ACME implementation are ports only independent Aesop C2 Darwin MetaH Rapide SADL UniCon Wright Component; implementation independent Component; implementation independent Component; implementation independent; Process; implementation constraining Interface; implementation independent Component; implementation independent; Component; implementation constraining Component; implementation independent; extensible type system; parameterization enabled with templates interface points extensible type are input and output system ports entire interface one port; interface elements are messages (notifications and requests) interface points are services (provided and required) interface points are ports interface points are constituents (provides, requires, action, and service) interface points are input and output ports (iports and oports) interface points are players interface points are ports; port interaction semantics specified in CSP extensible type system extensible type system; supports parameterization Predefined, enumerated set of types extensible type system; contains a types sublanguage; supports parameterization extensible type system; component types tightly coupled to styles predefined, enumerated set of types extensible type system no support; can use other ADLs semantic models in property lists (optional) stylespecific languages for specifying semantics causal relationships between input and output messages π-calculus ControlH for modeling algorithms in the GN&C domain; implementation semantics via paths partially ordered event sets (posets) event traces in property lists not the focus; allowed in CSP via interfaces and semantics; stylistic invariants via interfaces and semantics; stylistic invariants via interfaces and semantics via interfaces and semantics; modes; nonfunctional attributes via interfaces and semantics; algebraic constraints on component state; pattern constraints on event posets via interfaces; stylistic invariants behavior-preserving subtyping name, interface, behavior and implementation subtyping (and their combinations) via interfaces and semantics; attributes; restrictions on players that can be provided by component types protocols of interaction for each port in CSP inheritance (structural subtyping) component refinement via pattern maps Non-Functional Properties allows any attribute in property lists, but does not operate on them allows association of arbitrary text with components attributes needed for real-time schedulability, reliability, and security analysis attributes for schedulability analysis 20

21 VI. Connectors Connectors are architectural building blocks used to model interactions among components and rules that govern those interactions. Unlike components, connectors may not correspond to compilation units in an implemented system. They may be implemented as separately compilable message routing devices (e.g., C2), but may also manifest themselves as shared variables, table entries, buffers, instructions to a linker, dynamic data structures, sequences of procedure calls embedded in code, initialization parameters, client-server protocols, pipes, SQL links between a database and an application, and so on [GMW95, SDK+95]. As such, connector specifications in an ADL may also need to contain hints for implementing a particular kind of connector. As in the case of components, surveyed ADLs model connectors in various forms and under various names. For example, languages such as ACME, Aesop, C2, SADL, UniCon, and Wright model connectors explicitly and refer to them as connectors. In Rapide and MetaH they are connections, modeled in-line, and cannot be named, subtyped, or reused (i.e., connectors are not first-class entities). 6 Connectors in Darwin are bindings and are also specified in-line, i.e., in the context of a configuration only. In this section, we present the aspects of connectors that we believe need to be modeled in an ADL and compare existing ADLs with respect to them. VI.A. Interface In order to enable proper connectivity of components and their communication in an architecture, a connector should export as its interface those services it expects. Therefore, a connector s interface is a set of interaction points between it and the components attached to it. It enables reasoning about the well-formedness of an architectural configuration. Only those ADLs that support modeling of connectors explicitly, independently of configurations in which they are used, support specification of connector interfaces. ACME, Aesop, UniCon, and Wright refer to connector interface points as roles. Explicit connection of component ports and connector roles is required in an architectural configuration. Roles are named and typed, and are in many ways similar to component ports (players in UniCon), discussed in Section V.A. Aesop distinguishes between input and output roles (sources and sinks). Semantics of each role s interaction protocol in Wright are specified in CSP, similar to port protocols shown in Fig. 2. This allows for analysis of compatibility between connected 6. MetaH does allow a connection to be named optionally, but that feature has not been demonstrated in any examples in published literature about MetaH. Based on that, and given the primitive nature of a MetaH connection, it is unclear what purpose connection names may serve in an architecture. 21